Setup invisible Captcha service on login/signup form

[FelixMalfait]

We should introduce an invisible Captcha on the login/signup form.

As always we try to have a driver-driven instance to allow each self-hosted instance to pick their provider of choice so let's try to use env variables for the validation URL / KEY (and PROVIDER var eventually if the implementation detail change from one to another).

The 3 services we should look to support are:

• Google invisible recaptcha https://developers.google.com/recaptcha/docs/invisible
• Cloudflare turnstile https://www.cloudflare.com/products/turnstile/
• hCaptcha invisible https://docs.hcaptcha.com/invisible/

[i-am-chitti]

Hi @FelixMalfait, I'm interested in working on this. Please have a review of below notes to be on same page -

• expose an environment variable for which provider to use. This'll also be populated on frontend clientConfig so that frontend can conditionally load and use the provider.
• The flow can be understood best by - https://docs.hcaptcha.com/#request-flow. This remains same for all three.
• All three provides the programatical invocation. So, once user clicks on 'Submit' button, I'll trigger the execution and get the token or passcode from respective provider.
  • https://developers.google.com/recaptcha/docs/v3#programmatically_invoke_the_challenge
  • https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/#execution-modes
  • https://docs.hcaptcha.com/invisible#programmatically-invoke-the-challenge
• We'll require a GQL query endpoint which accepts this token and returns if captcha verification was successful. In its response, display a snackbar of recaptcha failed message and reset the execution so that passcode can be re-generated.
• This GQL query will internally make call to the provider to verify the passcode. Docs can be found here -
  • https://developers.google.com/recaptcha/docs/verify
  • https://developers.cloudflare.com/turnstile/get-started/server-side-validation/
• If there is no environment variable present, then, skip the recaptcha validation on frontend.
• To load the script of each provider conditionally, I'll be using the react-helmet-async. This is done only in form component.

    <Helmet>
      <script
        src="https://www.google.com/recaptcha/api.js?render=6Le-alYpAAAAAEW_lYoHgrVofgdZRfeLjU4TcjtJ"
        async
        defer
      ></script>
    </Helmet>

To make it driver driven, I'll be taking inspiration from existing drivers like SMTP for email.

One doubt though -

• By Google invisible recaptcha, I think you're referring to v3, right?

[FelixMalfait]

Legend @i-am-chitti you're everywhere 😅 - thanks!!!

Agree with everything you said. And yes v3.

I just have a doubt on react-helmet, I'm not the most qualified to answer technical questions. What you suggest seems like a nice and clean approach, actually cleaner than what we do here in my opinion: https://github.com/twentyhq/twenty/blob/main/packages/twenty-front/src/modules/support/components/SupportChat.tsx But it would be great to get confirmation from @lucasbordeau

[lucasbordeau]

Current implementation with insertScript seems fine, although we could extract it in an external hook.

[i-am-chitti]

Thanks @FelixMalfait and @lucasbordeau for the notes. I've started working on this.

[FelixMalfait]

Hey @i-am-chitti let us know if you have questions! I know this isn't a small task and you have other things to do :)

[i-am-chitti]

Hi @FelixMalfait, The backend is ready and on frontend, I've completed integrating the Google recaptcha. Currently, hCaptcha and Turnstile is pending on frontend.

Didn't get time to work on this past two weeks. Just synced my main branch and found I've lots of merge conflicts. I'm resolving them. Will complete the pending integrations and raise PR in some days.